Officials knew about security vulnerabilities before attack

Internal security audits show that University of Missouri System administrators and security staff were aware of security vulnerabilities affecting UM information systems prior to the database attack in early May.

Over the course of several hours on May 3 and 4, hackers stole the names and Social Security numbers of more than 22,000 employees and students from a database created in 2004 by a Division of IT employee. The database was never removed from the system, according to a news release from UM.

MU spokesman Scott Charton said of the May breach, “The threat is a known vulnerability within the technology industry.”

The security audits, which are being continuously performed by Division of IT security personnel, are intended to address specific vulnerabilities within the UM System. The audit reports, copies of which were obtained by the Columbia Missourian under Missouri’s open records laws, were redacted to prevent confidential information from becoming public, according to David Russell, the custodian of records and chief of staff for the UM System. A paragraph from the report of an audit conducted in March reads: “The management and general organization of duties around the system is well within security best practice guidelines and the external firewall configuration is offering superior protection to the system. However, a significant risk to confidentiality exists because of the [REDACTED]. This risk to confidentiality should be addressed by [REDACTED].”

Russell said that the documents were censored to prevent unauthorized information from being made public and the censorship was done in accordance with the law.

The amount of redaction made it impossible to determine if the risk identified in the March audit was the same risk that allowed the May breach.

The UM System maintains a vast array of student, employee and third-party data, including medical and financial information. As vice president for information technology, Gary Allen has the task of maintaining security to protect privacy within the UM System.

“There are a tremendous and an exponentially growing number of security risks that we have to deal with, so we have this tension between trying to optimize the balance between restricting access, protecting our nest eggs, in terms of data that we are responsible for, and at the same time providing as open an environment as we can for the free exchange of information, which is what the university is all about,” Allen said.

The nature of information sharing within an institution of higher learning makes Allen’s job all the more difficult. There is no all-encompassing law or regulation that governs data storage, but rather, a maze of federal and state laws with which UM must comply.

For example, the federal Health Insurance Portability and Accountability Act regulates medical records within the UM System; the Family Educational Rights and Privacy Act establishes guidelines for disclosing educational records to third parties; and other university operations may have to comply with security protocols protecting top-secret government data.

In addition, schools that accept federal funding are required by law to protect certain kinds of private financial information.

An unsigned draft letter to the U.S. Department of Education, obtained by the Missourian, says that “The intrusions did not affect any systems holding student financial aid (information) or student loan records.” The kinds of employee data that were compromised in May are not regulated by those laws.

Thirty-three states have laws that require public institutions that house confidential information to disclose any breach of security. Missouri does not.

“You can’t prevent identity theft, you can only mitigate the damage,” said Pat Dane, chief financial officer for the company MyPublicInfo.com. Dane’s company contacted UM officials after the May attacks with an offer to provide free services to monitor the identities of those affected. Dane said that his company’s offer was ignored. The Missourian obtained e-mails confirming that the company offered its services, but no response from the system was documented.

Last week UM officials announced that they had negotiated a deal with Experian to offer credit monitoring for $3.46 a month. Charton explained that the delay in offering the services was a result of UM efforts being initially focused on “working aggressively to manage any risks to other university systems.”

“We have to comply with all of the federal guidelines for HIPAA, FERPA and any restricted data that could be restricted by virtue of it being top secret, if it’s a highly secure research initiative. It could be required to be maintained as confidential because it’s a result from contract work; research contracts that might be going on between one of the labs and a corporate entity, for example,” Allen said. “So, we have the full spectrum of information types that are in the ownership of the university.”

Many private corporations and an increasing number of universities have administrative level positions such as chief privacy officers and chief security officers who reconcile the wide range of privacy and security issues. Neither position exists at MU, but Allen said that there are plans to create a CPO position. Allen said any future privacy officer would report to him.

MU has begun working to reduce one potential problem, eliminating unnecessary Social Security numbers from official UM documents and forms. The effort began in earnest earlier this year, but there are some cases where UM must use those numbers, as in the case of employment records.

“I had been working with President Floyd and in April, early April, he issued a memo, a directive to me, which we started acting on, which was to systematically secure all of the Social Security information in the entirety of the university from all of our central administrative systems all the way up to the peripheral applications that are living anywhere on any of the campuses, or in the hospital, and all the way out to the desktop.” Allen said.

An e-mail from Thomas Phillips, an MU biology professor, to Allen, Deaton and members of the Faculty Council Executive Committee, which was released to the Missourian, outlines some concerns about the current collection practices:

“At yesterday’s meeting with the Chancellor, we discussed computer security and SS #’s. One point that was made was the urgent need for MU to eliminate all non-essential use of SS #’s on official forms. This got me thinking and I just used Google Desktop search feature to scan my personal office computer for my own SS #. I only found it on about 30 documents!” Phillips goes on in his e-mail, “I have deleted those documents or erased my social security number from them but more troubling were my many archived copies of Travel Expense forms (UM-11) previously submitted for getting official travel expenses reimbursed.”

UM administrators are also evaluating other types of information that they collect.

“We need to re-examine every instance where we are asking for that kind of information to determine if there is a legitimate business need. And, if there is, then we need to do it. And, if there is a need then there needs to be appropriate security wrapped around those processes, appropriate training for the individuals who will have access to that data going forward,” Allen said. “If there’s not, then it’s a place where we can eliminate another potential vulnerability.”